Remote Timing Attacks -Rashmi Kukanur

Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses

What is Timing Attack  Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.  General Belief: Web Servers and RSA Implementations are not vulnerable.

Cause of concern:  RSA security broken when factors of modulus exposed  OpenSSL widely used  Challenges the security of many crypto implementations

RSA review 1.Select two large prime numbers p and q. 2.Let N= pq be the modulus. 3.Choose e relatively prime to (p-1)(q-1) 4. Find d s.t. ed = 1 mod (p-1)(q-1) 5.Public key (N,e) 6.Private Key d  Encryption C = M e mod N  Decryption M = C d mod N

OpenSSL implementation RSA  Chinese Remainder Theorem  Exponentiation –Sliding Windows  Multiplication Routines –Karatsuba Algorithm O(nlog 2 3) –Normal Multiplication O(nm)  Montgomery Reduction

Chinese Remainder Theorem  Let m i ’s be relatively prime pair wise and  M = m 1 m 2 ……..m k, Mi = M / m i  C i = M i ( M i -1 mod m i )  a i = A mod mi  A mod M =(a 1 c 1 +a 2 c 2 +.+a k c k )mod M

RSA Decryption  C d mod pq can be computed from  m 1 = c d1 mod p, m 2 = c d2 mod q as  (m 1 c p + m 2 c q ) mod pq, where  c p = q(q -1 mod p), c q = p(p -1 mod q)  RSA decryption with CRT speedup

Timing differences comparison Montgomery reduction Schindler’s observation : Pr[Extra Reduction] = (g mod q) / 2R Multiplication Routine Karatsuba Normal Multiplication

Time variance - overview g<qg>q Montgomery effect LongerShorter Multiplication effect ShorterLonger g is the decryption value. Each is dominant at a different phase.

Timing Attack on Open SSL  Let N=pq with q<p.  Approximate q (approaching) guessing  q: g try g hi to decide guessing  q: g try g hi to decide i-1…i

Timing Attack (Contd.)  Initial guess g of q lies between (i.e 2 log 2 N/2 ) and (i.e 2 log 2 N/2-1 ) (i.e 2 log 2 N/2 ) and (i.e 2 log 2 N/2-1 )  Try all the possible combinations of the top few bits and pick the first peak i.e q.

Timing Attack (Contd.)  Let g=q for top i-1 bits. Remaining bits of g=0(g<q)  Recover i’th bit of q as follows: –(1) g hi =g, but with i’th bit 1. If i’th bit of q is 1 then g<g hi <q, else g<q<g hi. –(2) u g =gR -1 mod N, u ghi =g hi R -1 mod N –(3) t1=DecryptTime(u g ), t2=DecryptTime(u ghi ). –(4) D=|t1-t2|.  If D is large then g<q<g hi and i’th bit of q is 0, otherwise the bit is 1.  Previous D values considered  Decrypting just g results in weak indicator in sliding windows.

Experiment 1  Parameters –Neighborhood size n, Sample Size s –Total number of queries is s*n Using sample size of 7 and neighborhood of 400, total queries. Attack time (on 1024-bit key) is about 2 hours.

Experiment 2  Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.

 Compile-time effects:  Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);  No Pentium flag (-O3 –fomit_frame_pointer);  Unoptimized (-g). Experiment 3

Defense  Defense: –Only one multiplication routine and always carry out extra reduction in Montgomery ’ s algorithm –Quantize all RSA computations –Blinding (Currently preferred)

Blinding Defenses  Before decryption compute x=r e g mod N where r is random.  Then decrypt x and compute x/r.